Email Alerts Fail to Work With STARTTLS

planedrop

Hoping I can get some insight here, I can get email alerts to work fine with plaintext and no encryption but not with STARTTLS which is something I require for this firewall in specific.

To keep it short, I'm using ProtonMail's SMTP backend, which is what I use for a lot of different server alerts with STARTTLS and no issues but seems pfSense in specific is having an issue.

I get the below whenever "Secure SMTP Connection" is set to enabled:

 Error: Failed to connect to ssl://smtp.protonmail.ch:587 [SMTP: Failed to connect socket: fsockopen(): Unable to connect to ssl://smtp.protonmail.ch:587 (Unknown error) (code: -1, response: )]

Settings are all good and definitely are correct since they work without Secure SMTP Connection set but I'd really prefer to have this enabled.

viragomann

@planedrop
Secure SMTP Connection = "SMTP over SSL/TLS" as the text next to the check box shows.

Disable this if the server doesn't support it.
STARTTLS is used if the the server is used automatically if the server offers this feature.

planedrop

@viragomann Maybe I'm misunderstanding something, so would unchecking Secure SMTP Connection make it use STARTTLS (assuming the SMTP server supports it)? I assumed enabling this auto used one of the two.

Thanks a ton for your help!

viragomann

@planedrop
"SMTP over SSL/TLS" is a different protocol. It requires the server to send the SSL certificate after the first touch.

With STARTTLS the encryption starts after the handshake.

planedrop

@viragomann Yup, this makes sense to me now. Did a wireshark capture as well and can verify it's using STARTTLS when the SMTP over SSL/TLS is disabled, makes total sense to me now. For some reason I thought it would default to plain text if that was unchecked but it definitely doesn't.

Thanks so much!

Gertjan

@planedrop said in Email Alerts Fail to Work With STARTTLS:

I get the below whenever "Secure SMTP Connection" is set to enabled:

In that case, you should not use port 587 (submission).

You should use the port 465, as that port is used for connection that is 'TLS from byte 1'

587 (submission) is now old. You use it if no better alternatives are aviable.
Without asking Google or Proton, I'll leave that to you, I'm pretty sure proton also offers port 465 (SMTPS).

With 587 (submission), the connection is opened in clear ASCII mode. User credentials are exchanged (pretty not protected) and the server announces it's capabilities.
If STARTTLS is one of them, the mail 'client' (pfSense in this case) throws out that command, and from then on the connection between the client and the server will be TLS.

587 (submission) was meant to be a stop gap solution so that mail client software that can support TLS, can go for TLS, and software that doesn't, can still use the same send-mail 'smtp' port.
These days, if possible, port 587 should be abandoned.
Exactly like visiting a web site : you can't go to http://some-site.tld anymore, as http usage is close to be prohibited.
The http (port 80) server - probably the .htaccess rules it is using - will intercept this, and rewrites the URL for you : https://some-site.tld

So : go over all your devices, and remove '587'.
If you use a mail server that doesn't support '465', consider stopping using their services ;)

planedrop

@Gertjan Right this makes sense, however Proton doesn't appear to allow 465 and is requiring 587 as far as I can tell, trying with 465 didn't do anything. Their instructions for SMTP sending say to enabled SSL/TLS which is odd.

However, I did want to add that my understanding of STARTTLS is that it upgrades the connection BEFORE any user credentials are exchanged, maybe I'm misunderstanding though?

I also thought STARTTLS can be configured in a way where it still won't allow plaintext stuff even in the event of a MITM attack but I'm no expert when it comes to email protocols.

Gertjan

@planedrop said in Email Alerts Fail to Work With STARTTLS:

However, I did want to add that my understanding of STARTTLS is that it upgrades the connection BEFORE any user credentials are exchanged, maybe I'm misunderstanding though?

You are probably right.
I've disabled 'all 587' suppport on my own mail server, I'm using only '465' which is TLS from byte zero.

Easy to test, though.
telnet to mail.server.tld 587
and then
EHLO whatever.server.tld
and it should list the server capabilities.

If it lists :

.....
250-STARTTLS
.....

then you can switch to TLS right away.

That's what pfSEnse is also doing :
It's uses the EHLO (extended HELO) and if 'STARTTLS' comes back as a capability, it will be used.
Then authentication starts - over TLS.

@planedrop said in Email Alerts Fail to Work With STARTTLS:

I also thought STARTTLS can be configured in a way where it still won't allow plaintext stuff even in the event of a MITM attack but I'm no expert when it comes to email protocols.

If you don't want the 'both server and client have to agree when TLS is used', you have to force it.
When using submission, port 587, STARTTLS is and rests optional. That is : the server has to offer it. And the client has to use if, if the servers offers it.
Maybe it's possible to inform the mail server (me: postfix) so that a STARTTLS is mandatory.

edit : yes :
https://www.postfix.org/SASL_README.html

/etc/postfix/main.cf:
    smtpd_tls_auth_only = yes

Btw : strange : an ISP that does not offer 'SMTPS' or port '465'.
All traffic is TLS these days.

planedrop

@Gertjan Thanks for finding that bit on postfix for me, makes sense then but I completely agree that it's odd they don't support 465 with implicit TLS, not sure why. I've reached out to Proton directly to see if they have a particular reason for only supporting STARTTLS with 587 so I guess we'll see what they respond with (in my experience their technical teams are really good and will usually provide a very detailed response, so I'll relay that here just for fun lol).

Really appreciate the help looking into this though, thanks a ton!!

allsome

@planedrop said in Email Alerts Fail to Work With STARTTLS:

@Gertjan Thanks for finding that bit on postfix for me, makes sense then but I completely agree that it's odd they don't support 465 with implicit TLS, not sure why. I've reached out to Proton directly to see if they have a particular reason for only supporting STARTTLS with 587 so I guess we'll see what they respond with (in my experience their technical teams are really good and will usually provide a very detailed response, so I'll relay that here just for fun lol).

Really appreciate the help looking into this though, thanks a ton!!

Hello, I dug this out to ask whether you solved the TLS problem. I'm trying to set notifications on SG2100 without success and similar results.

error:

Could not send the message to -- Error: Failed to connect to ssl://smtp.protonmail.ch:587 [SMTP: Failed to connect socket: stream_socket_client(): Unable to connect to ssl://smtp.protonmail.ch:587 (Unknown error) (code: -1, response: )]

250-mailsub001.protonmail.ch
250-PIPELINING
250-SIZE 36480000
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 CHUNKING

It works with other SMTP tools. I'm sitting on 24.11

EDIT: nvm I figured by unchecking Enable SMTP over SSL/TLS. I guess that way is set to Auto and handshake with the server.

Thanks

planedrop

@allsome Yup I was about to respond that unchecking it should do what you need, at least as far as I can tell. I am still using it with this firewall and Proton's SMTP service and it's working fine.